From 4c6b851e3721a9b9b0a45ab1382b3c2bbfe50b0d Mon Sep 17 00:00:00 2001 From: Jayanth Varavani <1111446+jayanthvn@users.noreply.github.com> Date: Wed, 19 Aug 2020 19:21:01 +0000 Subject: [PATCH] cherry pick from v1.7 to master Add calico.yaml to v1.7 --- CHANGELOG.md | 37 + config/master/aws-k8s-cni-cn.yaml | 2 + config/master/aws-k8s-cni-us-gov-east-1.yaml | 2 + config/master/aws-k8s-cni-us-gov-west-1.yaml | 2 + config/master/aws-k8s-cni.yaml | 2 + config/master/manifests.jsonnet | 2 +- config/v1.7/aws-k8s-cni-cn.yaml | 235 ++++++ config/v1.7/aws-k8s-cni-us-gov-east-1.yaml | 235 ++++++ config/v1.7/aws-k8s-cni-us-gov-west-1.yaml | 235 ++++++ config/v1.7/aws-k8s-cni.yaml | 235 ++++++ config/v1.7/calico.yaml | 758 ++++++++++++++++++ config/v1.7/cni-metrics-helper-cn.yaml | 100 +++ .../cni-metrics-helper-us-gov-east-1.yaml | 100 +++ .../cni-metrics-helper-us-gov-west-1.yaml | 100 +++ config/v1.7/cni-metrics-helper.yaml | 100 +++ 15 files changed, 2144 insertions(+), 1 deletion(-) create mode 100644 config/v1.7/aws-k8s-cni-cn.yaml create mode 100644 config/v1.7/aws-k8s-cni-us-gov-east-1.yaml create mode 100644 config/v1.7/aws-k8s-cni-us-gov-west-1.yaml create mode 100644 config/v1.7/aws-k8s-cni.yaml create mode 100644 config/v1.7/calico.yaml create mode 100644 config/v1.7/cni-metrics-helper-cn.yaml create mode 100644 config/v1.7/cni-metrics-helper-us-gov-east-1.yaml create mode 100644 config/v1.7/cni-metrics-helper-us-gov-west-1.yaml create mode 100644 config/v1.7/cni-metrics-helper.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f5f207a98..205f857db1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,42 @@ # Changelog +## v1.7.0 + +* Improvement - [Reject version skew between gRPC client and server](https://github.com/aws/amazon-vpc-cni-k8s/pull/1141) (#1141, @anguslees) +* Improvement - [Write to IPAM checkpoint file immediately after reading from CRI](https://github.com/aws/amazon-vpc-cni-k8s/pull/1140) (#1140, @anguslees) +* Improvement - [Fix a log message](https://github.com/aws/amazon-vpc-cni-k8s/pull/1138) (#1138, @anguslees) +* Improvement - [Add ipamd changes for sg support](https://github.com/aws/amazon-vpc-cni-k8s/pull/1126) (#1126, @mogren) +* Improvement - [Add support to setup pod network using VLANss](https://github.com/aws/amazon-vpc-cni-k8s/pull/1125) (#1125, @SaranBalaji90) +* Improvement - [Improve CRI->checkpoint logic in the face of downgrades](https://github.com/aws/amazon-vpc-cni-k8s/pull/1123) (#1123, @anguslees) +* Improvement - [Slash and burn unused code](https://github.com/aws/amazon-vpc-cni-k8s/pull/1115) (#1115, @anguslees) +* Improvement - [Remove references to unused metadata `owner-id`](https://github.com/aws/amazon-vpc-cni-k8s/pull/1111) (#1111, @anguslees) +* Improvement - [Remove old pre-1.3 migration code](https://github.com/aws/amazon-vpc-cni-k8s/pull/1110) (#1110, @anguslees) +* Improvement - [Enable log config for the metrics agent](https://github.com/aws/amazon-vpc-cni-k8s/pull/1104) (#1104, @mogren) +* Improvement - [Refactor ENI limit struct](https://github.com/aws/amazon-vpc-cni-k8s/pull/1035) (#1035, @mogren) +* Improvement - [Use sed as a stream editor and redirect to file](https://github.com/aws/amazon-vpc-cni-k8s/pull/1069) (#1069, @willejs) +* Improvement - [JSON output format for the entrypoint script](https://github.com/aws/amazon-vpc-cni-k8s/pull/1066) (#1066, @jayanthvn) +* Improvement - [Use install command instead of cp](https://github.com/aws/amazon-vpc-cni-k8s/pull/1061) (#1061, @mogren) +* Improvement - [Updated manifest configs with default env vars](https://github.com/aws/amazon-vpc-cni-k8s/pull/1057) (#1057, @saiteja313) +* Improvement - [Default to random-fully](https://github.com/aws/amazon-vpc-cni-k8s/pull/1048) (#1048, @mogren) +* Improvement - [Update probe settings](https://github.com/aws/amazon-vpc-cni-k8s/pull/1028) (#1028, @mogren) +* Improvement - [Added warning if delete on termination is set to false for the primary ENI](https://github.com/aws/amazon-vpc-cni-k8s/pull/1024) (#1024, @jayanthvn) +* Improvement - [Limit scope of logs writable by ipamd container](https://github.com/aws/amazon-vpc-cni-k8s/pull/987) (#987, @anguslees) +* Improvement - [Autogenerate per-region YAML manifests from a common template](https://github.com/aws/amazon-vpc-cni-k8s/pull/986) (#986, @anguslees) +* Improvement - [Persist IPAM state to local file and use across restarts](https://github.com/aws/amazon-vpc-cni-k8s/pull/972) (#972, @anguslees) +* Improvement - [Add init container](https://github.com/aws/amazon-vpc-cni-k8s/pull955) (#955, @mogren) +* Improvement - [Refresh subnet/CIDR information periodically](https://github.com/aws/amazon-vpc-cni-k8s/pull/903) (#903, @nithu0115) +* Docs - [Changed data type for variables in README](https://github.com/aws/amazon-vpc-cni-k8s/pull/1116) (#1116, @abhinavmpandey08) +* Docs - [Fix docs links for cni-metrics-agent](https://github.com/aws/amazon-vpc-cni-k8s/pull/1072) (#1072, @mogren) +* Testing - [Create script to run all release tests](https://github.com/aws/amazon-vpc-cni-k8s/pull/1106) (#1106, @bnapolitan) +* Testing - [Cover bottlerocket cluster test](https://github.com/aws/amazon-vpc-cni-k8s/pull/1096) (#1096, @bnapolitan) +* Testing - [Introduce automated performance testing](https://github.com/aws/amazon-vpc-cni-k8s/pull/1068) (#1068, @bnapolitan) +* Testing - [scripts/lib: bump up tester to v1.4.0](https://github.com/aws/amazon-vpc-cni-k8s/pull/1065) (#1065, @gyuho) +* Testing - [Add parallel testing to conformance](https://github.com/aws/amazon-vpc-cni-k8s/pull/1018) (#1018, @bnapolitan) +* Testing - [Cache go packages in CircleCI](https://github.com/aws/amazon-vpc-cni-k8s/pull/1017) (#1017, @bnapolitan) +* Testing - [Create roles by default for e2e test cluster creation](https://github.com/aws/amazon-vpc-cni-k8s/pull/994) (#994, @bnapolitan) +* Bug - [Use limits from API for g4dn.16xlarge](https://github.com/aws/amazon-vpc-cni-k8s/pull/1086) (#1086, @mogren) +* Bug - [Make metrics-helper docker logging statement multi-arch compatible](https://github.com/aws/amazon-vpc-cni-k8s/pull/1067) (#1067, @nprab428) + ## v1.6.3 * Bug - [Handle stale instance metadata](https://github.com/aws/amazon-vpc-cni-k8s/pull/1011) (#1011, @mogren) * Improvement - [Add support for c5a and c5ad](https://github.com/aws/amazon-vpc-cni-k8s/pull/1003) (#1003, @mogren) diff --git a/config/master/aws-k8s-cni-cn.yaml b/config/master/aws-k8s-cni-cn.yaml index f4fb3c331d..738d785b9a 100644 --- a/config/master/aws-k8s-cni-cn.yaml +++ b/config/master/aws-k8s-cni-cn.yaml @@ -96,6 +96,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": @@ -109,6 +110,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": diff --git a/config/master/aws-k8s-cni-us-gov-east-1.yaml b/config/master/aws-k8s-cni-us-gov-east-1.yaml index 5d1dbb0701..067d81a262 100644 --- a/config/master/aws-k8s-cni-us-gov-east-1.yaml +++ b/config/master/aws-k8s-cni-us-gov-east-1.yaml @@ -96,6 +96,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": @@ -109,6 +110,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": diff --git a/config/master/aws-k8s-cni-us-gov-west-1.yaml b/config/master/aws-k8s-cni-us-gov-west-1.yaml index b7796b1d46..2f077054d8 100644 --- a/config/master/aws-k8s-cni-us-gov-west-1.yaml +++ b/config/master/aws-k8s-cni-us-gov-west-1.yaml @@ -96,6 +96,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": @@ -109,6 +110,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": diff --git a/config/master/aws-k8s-cni.yaml b/config/master/aws-k8s-cni.yaml index a71e96070f..e28fbe5589 100644 --- a/config/master/aws-k8s-cni.yaml +++ b/config/master/aws-k8s-cni.yaml @@ -96,6 +96,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": @@ -109,6 +110,7 @@ "operator": "In" "values": - "amd64" + - "arm64" - "key": "eks.amazonaws.com/compute-type" "operator": "NotIn" "values": diff --git a/config/master/manifests.jsonnet b/config/master/manifests.jsonnet index ed12aa149e..10a76b2322 100644 --- a/config/master/manifests.jsonnet +++ b/config/master/manifests.jsonnet @@ -125,7 +125,7 @@ local awsnode = { { key: prefix + "kubernetes.io/arch", operator: "In", - values: ["amd64"], + values: ["amd64", "arm64"], }, { key: "eks.amazonaws.com/compute-type", diff --git a/config/v1.7/aws-k8s-cni-cn.yaml b/config/v1.7/aws-k8s-cni-cn.yaml new file mode 100644 index 0000000000..ea9816814d --- /dev/null +++ b/config/v1.7/aws-k8s-cni-cn.yaml @@ -0,0 +1,235 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "aws-node" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "aws-node" +"subjects": +- "kind": "ServiceAccount" + "name": "aws-node" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "aws-node" +"rules": +- "apiGroups": + - "crd.k8s.amazonaws.com" + "resources": + - "eniconfigs" + "verbs": + - "get" + - "list" + - "watch" +- "apiGroups": + - "" + "resources": + - "pods" + - "namespaces" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "" + "resources": + - "nodes" + "verbs": + - "list" + - "watch" + - "get" + - "update" +- "apiGroups": + - "extensions" + "resources": + - "*" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apiextensions.k8s.io/v1beta1" +"kind": "CustomResourceDefinition" +"metadata": + "name": "eniconfigs.crd.k8s.amazonaws.com" +"spec": + "group": "crd.k8s.amazonaws.com" + "names": + "kind": "ENIConfig" + "plural": "eniconfigs" + "singular": "eniconfig" + "scope": "Cluster" + "versions": + - "name": "v1alpha1" + "served": true + "storage": true +--- +"apiVersion": "apps/v1" +"kind": "DaemonSet" +"metadata": + "labels": + "k8s-app": "aws-node" + "name": "aws-node" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "aws-node" + "template": + "metadata": + "labels": + "k8s-app": "aws-node" + "spec": + "affinity": + "nodeAffinity": + "requiredDuringSchedulingIgnoredDuringExecution": + "nodeSelectorTerms": + - "matchExpressions": + - "key": "beta.kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "beta.kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + - "matchExpressions": + - "key": "kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + "containers": + - "env": + - "name": "ADDITIONAL_ENI_TAGS" + "value": "{}" + - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" + "value": "true" + - "name": "AWS_VPC_ENI_MTU" + "value": "9001" + - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" + "value": "DEBUG" + - "name": "AWS_VPC_K8S_CNI_LOG_FILE" + "value": "/host/var/log/aws-routed-eni/ipamd.log" + - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" + "value": "prng" + - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" + "value": "eni" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" + "value": "/var/log/aws-routed-eni/plugin.log" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" + "value": "DEBUG" + - "name": "DISABLE_INTROSPECTION" + "value": "false" + - "name": "DISABLE_METRICS" + "value": "false" + - "name": "ENABLE_POD_ENI" + "value": "false" + - "name": "MY_NODE_NAME" + "valueFrom": + "fieldRef": + "fieldPath": "spec.nodeName" + - "name": "WARM_ENI_TARGET" + "value": "1" + "image": "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.7.0" + "imagePullPolicy": "Always" + "livenessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 60 + "name": "aws-node" + "ports": + - "containerPort": 61678 + "name": "metrics" + "readinessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 1 + "resources": + "requests": + "cpu": "10m" + "securityContext": + "capabilities": + "add": + - "NET_ADMIN" + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + - "mountPath": "/host/etc/cni/net.d" + "name": "cni-net-dir" + - "mountPath": "/host/var/log/aws-routed-eni" + "name": "log-dir" + - "mountPath": "/var/run/aws-node" + "name": "run-dir" + - "mountPath": "/var/run/dockershim.sock" + "name": "dockershim" + "hostNetwork": true + "initContainers": + - "image": "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.7.0" + "imagePullPolicy": "Always" + "name": "aws-vpc-cni-init" + "securityContext": + "privileged": true + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + "priorityClassName": "system-node-critical" + "serviceAccountName": "aws-node" + "terminationGracePeriodSeconds": 10 + "tolerations": + - "operator": "Exists" + "volumes": + - "hostPath": + "path": "/opt/cni/bin" + "name": "cni-bin-dir" + - "hostPath": + "path": "/etc/cni/net.d" + "name": "cni-net-dir" + - "hostPath": + "path": "/var/run/dockershim.sock" + "name": "dockershim" + - "hostPath": + "path": "/var/log/aws-routed-eni" + "type": "DirectoryOrCreate" + "name": "log-dir" + - "hostPath": + "path": "/var/run/aws-node" + "type": "DirectoryOrCreate" + "name": "run-dir" + "updateStrategy": + "rollingUpdate": + "maxUnavailable": "10%" + "type": "RollingUpdate" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "aws-node" + "namespace": "kube-system" +... diff --git a/config/v1.7/aws-k8s-cni-us-gov-east-1.yaml b/config/v1.7/aws-k8s-cni-us-gov-east-1.yaml new file mode 100644 index 0000000000..73411239a5 --- /dev/null +++ b/config/v1.7/aws-k8s-cni-us-gov-east-1.yaml @@ -0,0 +1,235 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "aws-node" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "aws-node" +"subjects": +- "kind": "ServiceAccount" + "name": "aws-node" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "aws-node" +"rules": +- "apiGroups": + - "crd.k8s.amazonaws.com" + "resources": + - "eniconfigs" + "verbs": + - "get" + - "list" + - "watch" +- "apiGroups": + - "" + "resources": + - "pods" + - "namespaces" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "" + "resources": + - "nodes" + "verbs": + - "list" + - "watch" + - "get" + - "update" +- "apiGroups": + - "extensions" + "resources": + - "*" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apiextensions.k8s.io/v1beta1" +"kind": "CustomResourceDefinition" +"metadata": + "name": "eniconfigs.crd.k8s.amazonaws.com" +"spec": + "group": "crd.k8s.amazonaws.com" + "names": + "kind": "ENIConfig" + "plural": "eniconfigs" + "singular": "eniconfig" + "scope": "Cluster" + "versions": + - "name": "v1alpha1" + "served": true + "storage": true +--- +"apiVersion": "apps/v1" +"kind": "DaemonSet" +"metadata": + "labels": + "k8s-app": "aws-node" + "name": "aws-node" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "aws-node" + "template": + "metadata": + "labels": + "k8s-app": "aws-node" + "spec": + "affinity": + "nodeAffinity": + "requiredDuringSchedulingIgnoredDuringExecution": + "nodeSelectorTerms": + - "matchExpressions": + - "key": "beta.kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "beta.kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + - "matchExpressions": + - "key": "kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + "containers": + - "env": + - "name": "ADDITIONAL_ENI_TAGS" + "value": "{}" + - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" + "value": "true" + - "name": "AWS_VPC_ENI_MTU" + "value": "9001" + - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" + "value": "DEBUG" + - "name": "AWS_VPC_K8S_CNI_LOG_FILE" + "value": "/host/var/log/aws-routed-eni/ipamd.log" + - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" + "value": "prng" + - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" + "value": "eni" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" + "value": "/var/log/aws-routed-eni/plugin.log" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" + "value": "DEBUG" + - "name": "DISABLE_INTROSPECTION" + "value": "false" + - "name": "DISABLE_METRICS" + "value": "false" + - "name": "ENABLE_POD_ENI" + "value": "false" + - "name": "MY_NODE_NAME" + "valueFrom": + "fieldRef": + "fieldPath": "spec.nodeName" + - "name": "WARM_ENI_TARGET" + "value": "1" + "image": "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.7.0" + "imagePullPolicy": "Always" + "livenessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 60 + "name": "aws-node" + "ports": + - "containerPort": 61678 + "name": "metrics" + "readinessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 1 + "resources": + "requests": + "cpu": "10m" + "securityContext": + "capabilities": + "add": + - "NET_ADMIN" + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + - "mountPath": "/host/etc/cni/net.d" + "name": "cni-net-dir" + - "mountPath": "/host/var/log/aws-routed-eni" + "name": "log-dir" + - "mountPath": "/var/run/aws-node" + "name": "run-dir" + - "mountPath": "/var/run/dockershim.sock" + "name": "dockershim" + "hostNetwork": true + "initContainers": + - "image": "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.7.0" + "imagePullPolicy": "Always" + "name": "aws-vpc-cni-init" + "securityContext": + "privileged": true + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + "priorityClassName": "system-node-critical" + "serviceAccountName": "aws-node" + "terminationGracePeriodSeconds": 10 + "tolerations": + - "operator": "Exists" + "volumes": + - "hostPath": + "path": "/opt/cni/bin" + "name": "cni-bin-dir" + - "hostPath": + "path": "/etc/cni/net.d" + "name": "cni-net-dir" + - "hostPath": + "path": "/var/run/dockershim.sock" + "name": "dockershim" + - "hostPath": + "path": "/var/log/aws-routed-eni" + "type": "DirectoryOrCreate" + "name": "log-dir" + - "hostPath": + "path": "/var/run/aws-node" + "type": "DirectoryOrCreate" + "name": "run-dir" + "updateStrategy": + "rollingUpdate": + "maxUnavailable": "10%" + "type": "RollingUpdate" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "aws-node" + "namespace": "kube-system" +... diff --git a/config/v1.7/aws-k8s-cni-us-gov-west-1.yaml b/config/v1.7/aws-k8s-cni-us-gov-west-1.yaml new file mode 100644 index 0000000000..3209dd476b --- /dev/null +++ b/config/v1.7/aws-k8s-cni-us-gov-west-1.yaml @@ -0,0 +1,235 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "aws-node" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "aws-node" +"subjects": +- "kind": "ServiceAccount" + "name": "aws-node" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "aws-node" +"rules": +- "apiGroups": + - "crd.k8s.amazonaws.com" + "resources": + - "eniconfigs" + "verbs": + - "get" + - "list" + - "watch" +- "apiGroups": + - "" + "resources": + - "pods" + - "namespaces" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "" + "resources": + - "nodes" + "verbs": + - "list" + - "watch" + - "get" + - "update" +- "apiGroups": + - "extensions" + "resources": + - "*" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apiextensions.k8s.io/v1beta1" +"kind": "CustomResourceDefinition" +"metadata": + "name": "eniconfigs.crd.k8s.amazonaws.com" +"spec": + "group": "crd.k8s.amazonaws.com" + "names": + "kind": "ENIConfig" + "plural": "eniconfigs" + "singular": "eniconfig" + "scope": "Cluster" + "versions": + - "name": "v1alpha1" + "served": true + "storage": true +--- +"apiVersion": "apps/v1" +"kind": "DaemonSet" +"metadata": + "labels": + "k8s-app": "aws-node" + "name": "aws-node" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "aws-node" + "template": + "metadata": + "labels": + "k8s-app": "aws-node" + "spec": + "affinity": + "nodeAffinity": + "requiredDuringSchedulingIgnoredDuringExecution": + "nodeSelectorTerms": + - "matchExpressions": + - "key": "beta.kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "beta.kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + - "matchExpressions": + - "key": "kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + "containers": + - "env": + - "name": "ADDITIONAL_ENI_TAGS" + "value": "{}" + - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" + "value": "true" + - "name": "AWS_VPC_ENI_MTU" + "value": "9001" + - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" + "value": "DEBUG" + - "name": "AWS_VPC_K8S_CNI_LOG_FILE" + "value": "/host/var/log/aws-routed-eni/ipamd.log" + - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" + "value": "prng" + - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" + "value": "eni" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" + "value": "/var/log/aws-routed-eni/plugin.log" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" + "value": "DEBUG" + - "name": "DISABLE_INTROSPECTION" + "value": "false" + - "name": "DISABLE_METRICS" + "value": "false" + - "name": "ENABLE_POD_ENI" + "value": "false" + - "name": "MY_NODE_NAME" + "valueFrom": + "fieldRef": + "fieldPath": "spec.nodeName" + - "name": "WARM_ENI_TARGET" + "value": "1" + "image": "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni:v1.7.0" + "imagePullPolicy": "Always" + "livenessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 60 + "name": "aws-node" + "ports": + - "containerPort": 61678 + "name": "metrics" + "readinessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 1 + "resources": + "requests": + "cpu": "10m" + "securityContext": + "capabilities": + "add": + - "NET_ADMIN" + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + - "mountPath": "/host/etc/cni/net.d" + "name": "cni-net-dir" + - "mountPath": "/host/var/log/aws-routed-eni" + "name": "log-dir" + - "mountPath": "/var/run/aws-node" + "name": "run-dir" + - "mountPath": "/var/run/dockershim.sock" + "name": "dockershim" + "hostNetwork": true + "initContainers": + - "image": "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni-init:v1.7.0" + "imagePullPolicy": "Always" + "name": "aws-vpc-cni-init" + "securityContext": + "privileged": true + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + "priorityClassName": "system-node-critical" + "serviceAccountName": "aws-node" + "terminationGracePeriodSeconds": 10 + "tolerations": + - "operator": "Exists" + "volumes": + - "hostPath": + "path": "/opt/cni/bin" + "name": "cni-bin-dir" + - "hostPath": + "path": "/etc/cni/net.d" + "name": "cni-net-dir" + - "hostPath": + "path": "/var/run/dockershim.sock" + "name": "dockershim" + - "hostPath": + "path": "/var/log/aws-routed-eni" + "type": "DirectoryOrCreate" + "name": "log-dir" + - "hostPath": + "path": "/var/run/aws-node" + "type": "DirectoryOrCreate" + "name": "run-dir" + "updateStrategy": + "rollingUpdate": + "maxUnavailable": "10%" + "type": "RollingUpdate" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "aws-node" + "namespace": "kube-system" +... diff --git a/config/v1.7/aws-k8s-cni.yaml b/config/v1.7/aws-k8s-cni.yaml new file mode 100644 index 0000000000..76ec7336b4 --- /dev/null +++ b/config/v1.7/aws-k8s-cni.yaml @@ -0,0 +1,235 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "aws-node" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "aws-node" +"subjects": +- "kind": "ServiceAccount" + "name": "aws-node" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "aws-node" +"rules": +- "apiGroups": + - "crd.k8s.amazonaws.com" + "resources": + - "eniconfigs" + "verbs": + - "get" + - "list" + - "watch" +- "apiGroups": + - "" + "resources": + - "pods" + - "namespaces" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "" + "resources": + - "nodes" + "verbs": + - "list" + - "watch" + - "get" + - "update" +- "apiGroups": + - "extensions" + "resources": + - "*" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apiextensions.k8s.io/v1beta1" +"kind": "CustomResourceDefinition" +"metadata": + "name": "eniconfigs.crd.k8s.amazonaws.com" +"spec": + "group": "crd.k8s.amazonaws.com" + "names": + "kind": "ENIConfig" + "plural": "eniconfigs" + "singular": "eniconfig" + "scope": "Cluster" + "versions": + - "name": "v1alpha1" + "served": true + "storage": true +--- +"apiVersion": "apps/v1" +"kind": "DaemonSet" +"metadata": + "labels": + "k8s-app": "aws-node" + "name": "aws-node" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "aws-node" + "template": + "metadata": + "labels": + "k8s-app": "aws-node" + "spec": + "affinity": + "nodeAffinity": + "requiredDuringSchedulingIgnoredDuringExecution": + "nodeSelectorTerms": + - "matchExpressions": + - "key": "beta.kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "beta.kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + - "matchExpressions": + - "key": "kubernetes.io/os" + "operator": "In" + "values": + - "linux" + - "key": "kubernetes.io/arch" + "operator": "In" + "values": + - "amd64" + - "arm64" + - "key": "eks.amazonaws.com/compute-type" + "operator": "NotIn" + "values": + - "fargate" + "containers": + - "env": + - "name": "ADDITIONAL_ENI_TAGS" + "value": "{}" + - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" + "value": "true" + - "name": "AWS_VPC_ENI_MTU" + "value": "9001" + - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" + "value": "false" + - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" + "value": "DEBUG" + - "name": "AWS_VPC_K8S_CNI_LOG_FILE" + "value": "/host/var/log/aws-routed-eni/ipamd.log" + - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" + "value": "prng" + - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" + "value": "eni" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" + "value": "/var/log/aws-routed-eni/plugin.log" + - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" + "value": "DEBUG" + - "name": "DISABLE_INTROSPECTION" + "value": "false" + - "name": "DISABLE_METRICS" + "value": "false" + - "name": "ENABLE_POD_ENI" + "value": "false" + - "name": "MY_NODE_NAME" + "valueFrom": + "fieldRef": + "fieldPath": "spec.nodeName" + - "name": "WARM_ENI_TARGET" + "value": "1" + "image": "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.7.0" + "imagePullPolicy": "Always" + "livenessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 60 + "name": "aws-node" + "ports": + - "containerPort": 61678 + "name": "metrics" + "readinessProbe": + "exec": + "command": + - "/app/grpc-health-probe" + - "-addr=:50051" + "initialDelaySeconds": 1 + "resources": + "requests": + "cpu": "10m" + "securityContext": + "capabilities": + "add": + - "NET_ADMIN" + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + - "mountPath": "/host/etc/cni/net.d" + "name": "cni-net-dir" + - "mountPath": "/host/var/log/aws-routed-eni" + "name": "log-dir" + - "mountPath": "/var/run/aws-node" + "name": "run-dir" + - "mountPath": "/var/run/dockershim.sock" + "name": "dockershim" + "hostNetwork": true + "initContainers": + - "image": "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.7.0" + "imagePullPolicy": "Always" + "name": "aws-vpc-cni-init" + "securityContext": + "privileged": true + "volumeMounts": + - "mountPath": "/host/opt/cni/bin" + "name": "cni-bin-dir" + "priorityClassName": "system-node-critical" + "serviceAccountName": "aws-node" + "terminationGracePeriodSeconds": 10 + "tolerations": + - "operator": "Exists" + "volumes": + - "hostPath": + "path": "/opt/cni/bin" + "name": "cni-bin-dir" + - "hostPath": + "path": "/etc/cni/net.d" + "name": "cni-net-dir" + - "hostPath": + "path": "/var/run/dockershim.sock" + "name": "dockershim" + - "hostPath": + "path": "/var/log/aws-routed-eni" + "type": "DirectoryOrCreate" + "name": "log-dir" + - "hostPath": + "path": "/var/run/aws-node" + "type": "DirectoryOrCreate" + "name": "run-dir" + "updateStrategy": + "rollingUpdate": + "maxUnavailable": "10%" + "type": "RollingUpdate" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "aws-node" + "namespace": "kube-system" +... diff --git a/config/v1.7/calico.yaml b/config/v1.7/calico.yaml new file mode 100644 index 0000000000..cfb617d69e --- /dev/null +++ b/config/v1.7/calico.yaml @@ -0,0 +1,758 @@ +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: calico-node + namespace: kube-system + labels: + k8s-app: calico-node +spec: + selector: + matchLabels: + k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: calico-node + spec: + priorityClassName: system-node-critical + nodeSelector: + beta.kubernetes.io/os: linux + hostNetwork: true + serviceAccountName: calico-node + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + containers: + # Runs calico/node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: quay.io/calico/node:v3.13.4 + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Use eni not cali for interface prefix + - name: FELIX_INTERFACEPREFIX + value: "eni" + # Enable felix info logging. + - name: FELIX_LOGSEVERITYSCREEN + value: "info" + # Don't enable BGP. + - name: CALICO_NETWORKING_BACKEND + value: "none" + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "k8s,ecs" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + - name: FELIX_TYPHAK8SSERVICENAME + value: "calico-typha" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # This will make Felix honor AWS VPC CNI's mangle table + # rules. + - name: FELIX_IPTABLESMANGLEALLOWACTION + value: Return + # Disable IPV6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + - name: FELIX_LOGSEVERITYSYS + value: "none" + - name: FELIX_PROMETHEUSMETRICSENABLED + value: "true" + - name: NO_DEFAULT_POOLS + value: "true" + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # No IP address needed. + - name: IP + value: "" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + livenessProbe: + exec: + command: + - /bin/calico-node + - -felix-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + readinessProbe: + exec: + command: + - /bin/calico-node + - -felix-ready + periodSeconds: 10 + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + volumes: + # Used to ensure proper kmods are installed. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + tolerations: + # Make sure calico/node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + +--- + +# Create all the CustomResourceDefinitions needed for +# Calico policy-only mode. + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: felixconfigurations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: FelixConfiguration + plural: felixconfigurations + singular: felixconfiguration + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ipamblocks.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: IPAMBlock + plural: ipamblocks + singular: ipamblock + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: blockaffinities.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: BlockAffinity + plural: blockaffinities + singular: blockaffinity + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: bgpconfigurations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: BGPConfiguration + plural: bgpconfigurations + singular: bgpconfiguration + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: bgppeers.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: BGPPeer + plural: bgppeers + singular: bgppeer +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: IPPool + plural: ippools + singular: ippool + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: hostendpoints.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: HostEndpoint + plural: hostendpoints + singular: hostendpoint + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterinformations.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: ClusterInformation + plural: clusterinformations + singular: clusterinformation + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: globalnetworkpolicies.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: GlobalNetworkPolicy + plural: globalnetworkpolicies + singular: globalnetworkpolicy + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: globalnetworksets.crd.projectcalico.org +spec: + scope: Cluster + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: GlobalNetworkSet + plural: globalnetworksets + singular: globalnetworkset + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.projectcalico.org +spec: + scope: Namespaced + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: NetworkPolicy + plural: networkpolicies + singular: networkpolicy + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: networksets.crd.projectcalico.org +spec: + scope: Namespaced + group: crd.projectcalico.org + versions: + - name: v1 + served: true + storage: true + names: + kind: NetworkSet + plural: networksets + singular: networkset + +--- + +# Create the ServiceAccount and roles necessary for Calico. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-node + namespace: kube-system + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-node +rules: + # The CNI plugin needs to get pods, nodes, configmaps, and namespaces. + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + - configmaps + verbs: + - get + - apiGroups: [""] + resources: + - endpoints + - services + verbs: + # Used to discover service IPs for advertisement. + - watch + - list + # Used to discover Typhas. + - get + - apiGroups: [""] + resources: + - nodes/status + verbs: + # Needed for clearing NodeNetworkUnavailable flag. + - patch + # Calico stores some configuration information in node annotations. + - update + # Watch for changes to Kubernetes NetworkPolicies. + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - watch + - list + # Used by Calico for policy information. + - apiGroups: [""] + resources: + - pods + - namespaces + - serviceaccounts + verbs: + - list + - watch + # The CNI plugin patches pods/status. + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + # Calico monitors various CRDs for config. + - apiGroups: ["crd.projectcalico.org"] + resources: + - globalfelixconfigs + - felixconfigurations + - bgppeers + - globalbgpconfigs + - bgpconfigurations + - ippools + - ipamblocks + - globalnetworkpolicies + - globalnetworksets + - networkpolicies + - networksets + - clusterinformations + - hostendpoints + - blockaffinities + verbs: + - get + - list + - watch + # Calico must create and update some CRDs on startup. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + - felixconfigurations + - clusterinformations + verbs: + - create + - update + # Calico stores some configuration information on the node. + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - list + - watch + # These permissions are only requried for upgrade from v2.6, and can + # be removed after upgrade or on fresh installations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - bgpconfigurations + - bgppeers + verbs: + - create + - update + # These permissions are required for Calico CNI to perform IPAM allocations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: ["crd.projectcalico.org"] + resources: + - ipamconfigs + verbs: + - get + # Block affinities must also be watchable by confd for route aggregation. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + verbs: + - watch + # The Calico IPAM migration needs to get daemonsets. These permissions can be + # removed if not upgrading from an installation using host-local IPAM. + - apiGroups: ["apps"] + resources: + - daemonsets + verbs: + - get + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: + - kind: ServiceAccount + name: calico-node + namespace: kube-system + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-typha + namespace: kube-system + labels: + k8s-app: calico-typha +spec: + revisionHistoryLimit: 2 + selector: + matchLabels: + k8s-app: calico-typha + template: + metadata: + labels: + k8s-app: calico-typha + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: 'true' + spec: + priorityClassName: system-cluster-critical + nodeSelector: + beta.kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + hostNetwork: true + serviceAccountName: calico-node + # fsGroup allows using projected serviceaccount tokens as described here kubernetes/kubernetes#82573 + securityContext: + fsGroup: 65534 + containers: + - image: quay.io/calico/typha:v3.13.4 + name: calico-typha + ports: + - containerPort: 5473 + name: calico-typha + protocol: TCP + env: + # Use eni not cali for interface prefix + - name: FELIX_INTERFACEPREFIX + value: "eni" + - name: TYPHA_LOGFILEPATH + value: "none" + - name: TYPHA_LOGSEVERITYSYS + value: "none" + - name: TYPHA_LOGSEVERITYSCREEN + value: "info" + - name: TYPHA_PROMETHEUSMETRICSENABLED + value: "true" + - name: TYPHA_CONNECTIONREBALANCINGMODE + value: "kubernetes" + - name: TYPHA_PROMETHEUSMETRICSPORT + value: "9093" + - name: TYPHA_DATASTORETYPE + value: "kubernetes" + - name: TYPHA_MAXCONNECTIONSLOWERLIMIT + value: "1" + - name: TYPHA_HEALTHENABLED + value: "true" + # This will make Felix honor AWS VPC CNI's mangle table + # rules. + - name: FELIX_IPTABLESMANGLEALLOWACTION + value: Return + livenessProbe: + httpGet: + path: /liveness + port: 9098 + host: localhost + periodSeconds: 30 + initialDelaySeconds: 30 + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readinessProbe: + httpGet: + path: /readiness + port: 9098 + host: localhost + periodSeconds: 10 + +--- + +# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: calico-typha + namespace: kube-system + labels: + k8s-app: calico-typha +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-typha + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: typha-cpha +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: typha-cpha +subjects: + - kind: ServiceAccount + name: typha-cpha + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: typha-cpha +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["watch", "list"] + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-typha-horizontal-autoscaler + namespace: kube-system +data: + ladder: |- + { + "coresToReplicas": [], + "nodesToReplicas": + [ + [1, 1], + [10, 2], + [100, 3], + [250, 4], + [500, 5], + [1000, 6], + [1500, 7], + [2000, 8] + ] + } + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-typha-horizontal-autoscaler + namespace: kube-system + labels: + k8s-app: calico-typha-autoscaler +spec: + selector: + matchLabels: + k8s-app: calico-typha-autoscaler + replicas: 1 + template: + metadata: + labels: + k8s-app: calico-typha-autoscaler + spec: + priorityClassName: system-cluster-critical + nodeSelector: + beta.kubernetes.io/os: linux + containers: + - image: k8s.gcr.io/cluster-proportional-autoscaler-amd64:1.7.1 + name: autoscaler + command: + - /cluster-proportional-autoscaler + - --namespace=kube-system + - --configmap=calico-typha-horizontal-autoscaler + - --target=deployment/calico-typha + - --logtostderr=true + - --v=2 + resources: + requests: + cpu: 10m + limits: + cpu: 10m + serviceAccountName: typha-cpha + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: typha-cpha + namespace: kube-system +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + - apiGroups: ["extensions", "apps"] + resources: ["deployments/scale"] + verbs: ["get", "update"] + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: typha-cpha + namespace: kube-system + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: typha-cpha + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: typha-cpha +subjects: + - kind: ServiceAccount + name: typha-cpha + namespace: kube-system + +--- + +apiVersion: v1 +kind: Service +metadata: + name: calico-typha + namespace: kube-system + labels: + k8s-app: calico-typha +spec: + ports: + - port: 5473 + protocol: TCP + targetPort: calico-typha + name: calico-typha + selector: + k8s-app: calico-typha diff --git a/config/v1.7/cni-metrics-helper-cn.yaml b/config/v1.7/cni-metrics-helper-cn.yaml new file mode 100644 index 0000000000..c448ed2b23 --- /dev/null +++ b/config/v1.7/cni-metrics-helper-cn.yaml @@ -0,0 +1,100 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "cni-metrics-helper" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "cni-metrics-helper" +"subjects": +- "kind": "ServiceAccount" + "name": "cni-metrics-helper" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "cni-metrics-helper" +"rules": +- "apiGroups": + - "" + "resources": + - "nodes" + - "pods" + - "pods/proxy" + - "services" + - "resourcequotas" + - "replicationcontrollers" + - "limitranges" + - "persistentvolumeclaims" + - "persistentvolumes" + - "namespaces" + - "endpoints" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "extensions" + "resources": + - "daemonsets" + - "deployments" + - "replicasets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "apps" + "resources": + - "statefulsets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "batch" + "resources": + - "cronjobs" + - "jobs" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "autoscaling" + "resources": + - "horizontalpodautoscalers" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apps/v1" +"kind": "Deployment" +"metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "name": "cni-metrics-helper" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "cni-metrics-helper" + "template": + "metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "spec": + "containers": + - "env": + - "name": "USE_CLOUDWATCH" + "value": "true" + "image": "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/cni-metrics-helper:v1.7.0" + "imagePullPolicy": "Always" + "name": "cni-metrics-helper" + "serviceAccountName": "cni-metrics-helper" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "cni-metrics-helper" + "namespace": "kube-system" +... diff --git a/config/v1.7/cni-metrics-helper-us-gov-east-1.yaml b/config/v1.7/cni-metrics-helper-us-gov-east-1.yaml new file mode 100644 index 0000000000..f8f8403e85 --- /dev/null +++ b/config/v1.7/cni-metrics-helper-us-gov-east-1.yaml @@ -0,0 +1,100 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "cni-metrics-helper" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "cni-metrics-helper" +"subjects": +- "kind": "ServiceAccount" + "name": "cni-metrics-helper" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "cni-metrics-helper" +"rules": +- "apiGroups": + - "" + "resources": + - "nodes" + - "pods" + - "pods/proxy" + - "services" + - "resourcequotas" + - "replicationcontrollers" + - "limitranges" + - "persistentvolumeclaims" + - "persistentvolumes" + - "namespaces" + - "endpoints" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "extensions" + "resources": + - "daemonsets" + - "deployments" + - "replicasets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "apps" + "resources": + - "statefulsets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "batch" + "resources": + - "cronjobs" + - "jobs" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "autoscaling" + "resources": + - "horizontalpodautoscalers" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apps/v1" +"kind": "Deployment" +"metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "name": "cni-metrics-helper" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "cni-metrics-helper" + "template": + "metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "spec": + "containers": + - "env": + - "name": "USE_CLOUDWATCH" + "value": "true" + "image": "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/cni-metrics-helper:v1.7.0" + "imagePullPolicy": "Always" + "name": "cni-metrics-helper" + "serviceAccountName": "cni-metrics-helper" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "cni-metrics-helper" + "namespace": "kube-system" +... diff --git a/config/v1.7/cni-metrics-helper-us-gov-west-1.yaml b/config/v1.7/cni-metrics-helper-us-gov-west-1.yaml new file mode 100644 index 0000000000..fdb78fe6ca --- /dev/null +++ b/config/v1.7/cni-metrics-helper-us-gov-west-1.yaml @@ -0,0 +1,100 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "cni-metrics-helper" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "cni-metrics-helper" +"subjects": +- "kind": "ServiceAccount" + "name": "cni-metrics-helper" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "cni-metrics-helper" +"rules": +- "apiGroups": + - "" + "resources": + - "nodes" + - "pods" + - "pods/proxy" + - "services" + - "resourcequotas" + - "replicationcontrollers" + - "limitranges" + - "persistentvolumeclaims" + - "persistentvolumes" + - "namespaces" + - "endpoints" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "extensions" + "resources": + - "daemonsets" + - "deployments" + - "replicasets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "apps" + "resources": + - "statefulsets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "batch" + "resources": + - "cronjobs" + - "jobs" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "autoscaling" + "resources": + - "horizontalpodautoscalers" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apps/v1" +"kind": "Deployment" +"metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "name": "cni-metrics-helper" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "cni-metrics-helper" + "template": + "metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "spec": + "containers": + - "env": + - "name": "USE_CLOUDWATCH" + "value": "true" + "image": "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/cni-metrics-helper:v1.7.0" + "imagePullPolicy": "Always" + "name": "cni-metrics-helper" + "serviceAccountName": "cni-metrics-helper" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "cni-metrics-helper" + "namespace": "kube-system" +... diff --git a/config/v1.7/cni-metrics-helper.yaml b/config/v1.7/cni-metrics-helper.yaml new file mode 100644 index 0000000000..4c8384656d --- /dev/null +++ b/config/v1.7/cni-metrics-helper.yaml @@ -0,0 +1,100 @@ +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRoleBinding" +"metadata": + "name": "cni-metrics-helper" +"roleRef": + "apiGroup": "rbac.authorization.k8s.io" + "kind": "ClusterRole" + "name": "cni-metrics-helper" +"subjects": +- "kind": "ServiceAccount" + "name": "cni-metrics-helper" + "namespace": "kube-system" +--- +"apiVersion": "rbac.authorization.k8s.io/v1" +"kind": "ClusterRole" +"metadata": + "name": "cni-metrics-helper" +"rules": +- "apiGroups": + - "" + "resources": + - "nodes" + - "pods" + - "pods/proxy" + - "services" + - "resourcequotas" + - "replicationcontrollers" + - "limitranges" + - "persistentvolumeclaims" + - "persistentvolumes" + - "namespaces" + - "endpoints" + "verbs": + - "list" + - "watch" + - "get" +- "apiGroups": + - "extensions" + "resources": + - "daemonsets" + - "deployments" + - "replicasets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "apps" + "resources": + - "statefulsets" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "batch" + "resources": + - "cronjobs" + - "jobs" + "verbs": + - "list" + - "watch" +- "apiGroups": + - "autoscaling" + "resources": + - "horizontalpodautoscalers" + "verbs": + - "list" + - "watch" +--- +"apiVersion": "apps/v1" +"kind": "Deployment" +"metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "name": "cni-metrics-helper" + "namespace": "kube-system" +"spec": + "selector": + "matchLabels": + "k8s-app": "cni-metrics-helper" + "template": + "metadata": + "labels": + "k8s-app": "cni-metrics-helper" + "spec": + "containers": + - "env": + - "name": "USE_CLOUDWATCH" + "value": "true" + "image": "602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:v1.7.0" + "imagePullPolicy": "Always" + "name": "cni-metrics-helper" + "serviceAccountName": "cni-metrics-helper" +--- +"apiVersion": "v1" +"kind": "ServiceAccount" +"metadata": + "name": "cni-metrics-helper" + "namespace": "kube-system" +...